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Abstract —We present two Secure Two Party Computation 
(STPC) protocols for piecewise function approximation on private 
data. The protocols rely on a piecewise approximation of the 
to-he-computed function easing the implementation in a STPC 
setting. The first protocol relies entirely on Garbled Circuit (GC) 
theory, while the second one exploits a hybrid construction where 
GC and Homomorphic Encryption (HE) are used together. In 
addition to piecewise constant and linear approximation, poly¬ 
nomial interpolation is also considered. Erom a communication 
complexity perspective, the full-GC Implementation is preferable 
when the input and output variables can be represented with 
a small number of bits, while the hybrid solution is preferable 
otherwise. With regard to computational complexity, the full-GC 
solution is generally more convenient. 

Index Terms —Secure Two Party Computation, Signal Process¬ 
ing in the Encrypted Domain, Computing with private data. 
Garbled Circuits, Homomorphic Encryption 

I. Introduction 

T he interest towards applications where two or more non- 
trusted parties wish to collectively process one or more 
signals to reach a common goal has prompted the quest of 
tools and protocols capable of processing signals and data 
directly in the encrypted domain im, m. The availability of 
such protocols would avoid that non-trusted parties refuse to 
cooperate even when they have a common goal because they 
are not willing to disclose their private inputs to the other 
parties. Processing signals directly in the encrypted domain, 
in fact, allows each party to observe only its own input and 
its share of the computation output, thus avoiding the need to 
disclose sensitive information to the others. In recent literature, 
protocols like those described above are often referred to as 
Signal Processing in the Encrypted Domain (s.p.e.d.). The 
number of possible applications of s.p.e.d. is virtually endless. 
Among the most interesting scenarios investigated so far 
we mention: private data mining El, secure processing of 
biometric data a, 0 , 0 , secure processing of biomedical 
signals Q, 0, processing of private user preferences 0, 
fusion of private data Uni, etc. 

Erom a technical point of view, s.p.e.d. protocols rely on 
Secure Multi-Party Computation (SMPC), a cryptographic 
discipline rooted in the seminal works by Goldreich im, 
Rivest et al. 112 and Yao m. In the simplest case, like 
the one considered in this paper, the protocol involves only 
two parties. In this case, we speak about Secure Two-Party 

A revised version of the paper will be soon submitted to IEEE Transaction 
on Information Forensic and Security. 


Computation (STPC) instead of SMPC. In a general STPC 
setting, one party, say Alice, owns a signal that must be 
processed in some way by the other party, hereafter referred to 
as Bob. Bob must process Alice’s signal without getting any 
information about it, in some scenarios not even the result of 
the computation. At the same time. Bob is interested to protect 
the information he uses to process the signal. 

Several cryptographic primitives for STPC exist, which 
when coupled with a suitable design of the underlying signal 
processing algorithms, permit to process the signals in a secure 
way. The two main approaches to STPC are based, respec¬ 
tively, on Homomorphic Encryption (HE) and Garbled Circuits 
(GCs). HE provides a simple and elegant way to evaluate 
linear operations on encrypted data m, however when non 
linear operations are involved, it is necessary to resort to ad- 
hoc, interactive and usually complex protocols. For instance, 
researchers have developed HE-based protocols to compute 
common non linear functions such as bit decomposition and 
comparison 0, division iMl, etc. On the other hand, GCs 
allow to evaluate any function that can be represented with an 
acyclic boolean circuit. For this reason GCs are very powerful 
tools when the functionalities involved in the computation can 
be represented by simple circuits, like in the case of com¬ 
parison, addition, multiplexing, etc.. In other cases, however, 
the boolean circuit required to describe the functionality is 
so complex to make the use of GCs problematic. This is the 
case, for instance of product, division im, logarithm na 
computation, etc. Given the complementary pros and cons of 
HE and GC, the use of hybrid protocols has been proposed to 
take advantage of the benefits offered by the two approaches, 
so that complex protocols are developed as a concatenation of 
sub-protocols, some of them implemented by using HE and 
others by using GCs 0 , 0 . A simple protocol to securely 
link HE and GC subprotocols is described in ifTTIl . 

Recently, Fully Homomorphic Encryption (FHE) schemes 
na, HU, EQi have been proposed, allowing the evaluation 
of both addition and product between encrypted values on 
the service provider side, without any interaction with the 
party owning the public key, whose only tasks is to encrypt 
the inputs and decrypt the results. Unfortunately, FHE is still 
highly inefficient, principally due to the huge size of the public 
key. 

Regardless of the adopted approach, computing a generic 
function, like trigonometric, hyperbolic and statistical func¬ 
tions on private data is a difficult problem. Classical HE 
schemes (like ||2TI . ESI ) do not provide a general approach 
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for universal function evaluation, while both GC and FHE 
require that the to-be-computed function is described as a 
logical circuit working on binary variables, thus making the 
implementation of complex functions like trigonometric func¬ 
tions, extremely inefficient. 

With the above ideas in mind, the main contribution of this 
paper is the proposal of a new class of protocols that permit to 
evaluate privately a piecewise constant, linear or polynomial 
approximation of any function /() having limited domain 
and codomain, for any given choice of the approximation 
parameters like the representation error and the accuracy of 
the input and output variables. To start with, the piecewise 
approximation is determined, specifying the sub-intervals the 
function domain is split into to dehne the piecewise approx¬ 
imation, and the approximation parameters to be used within 
each subinterval. Then, given the input, the actual function 
approximation consists of three main steps: interval detection, 
parameter retrieval and approximation. In the first step the 
domain interval the input belongs to is detected, then the 
parameters of the (constant, linear o polynomial) approxima¬ 
tion are retrieved and hnally the actual approximating value 
is evaluated. 

The present work generalizes and improves the system pro¬ 
posed in II 23 I . where piecewise linear function approximation 
by means of full-GC or Hybrid protocols is considered. As 
a hrst main difference, in this paper we consider a general 
approximation framework, which is not limited to piecewise 
linear functions, but includes also polynomial approximation. 
Secondly, and equally important, the efficiency of the protocols 
proposed in 12^ is signihcantly improved with regard to 
both the full-GC and hybrid implementations. Specifically, the 
complexity of the segment detection phase is decreased from 
0{Ni) to 0{N), where N is the number of segments and I the 
input bitlength, and the complexity of the parameter retrieval 
phase is diminished down to a point to become negligible. 

With respect to the two approaches proposed in the paper, 
one fully based on GC and the other relying on a hybrid 
protocol, we show that from a communication point of view 
the hybrid solution is preferable when the input is represented 
with a large number of bits and a high precision is needed, 
otherwise the full-GC solution is preferable. With regard to 
computational complexity, our implementations reveal that 
full-GC solution is always preferable. 

This paper is organized as follows. In Section |I^ the main 
cryptographic tools the protocols rely on are presented. The 
general framework for piecewise polynomial approximation 
is presented in Section together with the instantiations 
of such a framework for specihc cases of particular interest. 
The number of bits that must be used to represent the pro¬ 
tocol variables is evaluated in Section |lV] as a function of 
the approximation error. Different STPC implementations for 
various classes of approximation functions are presented in 
Section |V] and compared in Section VI The paper ends with 
some conclusions in Section IVlIl 


Garbled Circuits (GC) and Homomorphic Encryption (HE). 

Throughout the paper we adopt the semi-honest security 
model, where the parties involved are assumed to follow the 
protocol as prescribed but try to learn as much as possible 
from the exchanged messages and their private inputs. While 
the security of the single tools in the semi-honest setting 
are demonstrated in the original papers, the security of their 
composition in hybrid protocols is proven in ifTTll . 

A. Homomorphic Encryption 

With a semantically secure, additively homomorphic, asym¬ 
metric encryption scheme, it is possible to obtain the encryp¬ 
tion of the sum of two values a and b available in encrypted 
form through the product of the corresponding ciphertexts. In 
other words, by denoting with !•] the encryption operator, we 
have |a -f 6] = |a] • |6]. In a similar way it is possible to com¬ 
pute the product between two values, one of them available in 
non-encrypted form, through exponentiation, i.e. |a6] = |o]^. 
More complex functionalities, such as bit decomposition ll24ll 
and comparison ll25l . can also be evaluated by interacting with 
the owner of the decryption key in protocols characterized by a 
rather high complexity in terms of protocol rounds and number 
of transmitted cyphertexts. 

The most widely used additively homomorphic cryptosys¬ 
tem is Paillier cryptosystem m with plaintext space and 
ciphertext space Z^ 2 , where is a T-bit RSA modulus and 
a ciphertext is represented with 2T bits. The communication 
complexity of HE-based protocols is mainly related to the 
number of cyphertexts to be transmitted and the number of 
rounds necessary for the protocol evaluation. The computa¬ 
tional complexity is usually measured in terms of number of 
modular exponentiations, and by considering that encryption 
and decryption have a complexity similar to exponentiations. 

B. Oblivious Transfer 

Oblivious Transfer (OT) protocols 1^ allow one party, the 
chooser, to select one out of two (or more) inputs provided by 
another party, the sender, in a way that protects both parties: 
the sender is assured that the chooser does not receive more 
information than it is entitled, while the chooser is assured 
that the sender does not learn which input he received. 

OT protocols can be subdivided in two phases: the off¬ 
line and online phases. It is customary to move the set 
up operations and a great part of the most computationally 
expensive operations to the offline phase, which is performed 
during inactivity, and during which the chooser and the sender 
evaluate many OTs computed on random values. Then, during 
the online phase the result of precomputed OTs are used to 
update the OTs to the actual values Ha. During the offline 
phase a great number of OTs can be evaluated in parallel in 
3 communication rounds, transmitting 6f bits for each OT, 
where t is the input bitlength, while the online phase needs 
only the transmission of 2t bits in 2 rounds for each OT 128]. 


II. Cryptographic Tools 


C. Garbled Circuits 


In this section, we present the cryptographic primitives at 
the bases of our protocols, namely Oblivious Transfer (OT), 


Any boolean circuit containing no cycle can be privately 
evaluated on secret inputs by using Garbled Circuits (GC). 
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Despite several optimizations proposed later, the overall pro¬ 
tocol for GC evaluation is still similar to the first one proposed 
by Yao US, ED. As shown in Figure [T] a GC is evaluated in 
three steps. During garbling, one party, the sender, associates 



Figure 1. Garbled circuit scheme. 

a couple of secrets (one for each logical value) to each wire 
of the circuit and garbles each gate by encrypting, for each 
row of the corresponding truth table, the secret associated to 
the output by using the two secrets associated to the inputs. 
In the transmission phase, the sender transmits the garbled 
tables to the other party, the receiver. Moreover the sender 
transmits the secrets associated to the input wires linked to 
his inputs, while the receiver obtains the secrets of his input 
wires by performing an OT together with the sender. Finally, 
during evaluation, the receiver decrypts the secrets gate by gate 
starting from the gates connected to the inputs (for a detailed 
description of each of the above steps we refer to lf30l ). 

Thanks to recent optimizations lISH . 1^ . 1331, garbling, 
transmission and evaluation of XOR gates have negligible 
complexity, while for each non-XOR binary gate circuit gar¬ 
bling requires the computation of 3 Hash functions and the 
transmission of 3t bits, where f is a security parameter (usually 
t = 80 for short term security). In addition, gate evaluation 
requires the computation of a Hash function with probability 
3/4. For each input bit of the sender ,a secret of t bits is 
transmitted, while for each input bit of the receiver an OT is 
evaluated (2t bits transmitted online). We underline that if the 
sender and the receiver know in advance the functionality to be 
evaluated, garbling and circuit transmission can be performed 
offline, when the inputs are not yet available. 


HI. Function approximation 
Given a generic limited function /() with domain Dom = 
\Xa,Xb) and codomain [j/ajJ/h), our goal is to find a way to 
approximate /() in Dom so that the approximation can be 
efficiently evaluated in the encrypted domain, as shown later 
in Section |V] The solutions we focus on in this paper permit 
to represent a sampled and quantized version of /() - say 
/() - through a piecewise polynomial function /(), as shown 
in Figure To be specific, the approximation procedure we 
propose consists of two main steps. First the domain of /() is 
partitioned into a given number of non-overlapping intervals. 
Then, for each interval, a polynomial is chosen to approximate 
/()■ 


f(x) 


Sampling and 

fix)^ 

Segmentation and 

Quantization 


Approximation 


fix) 


Figure 2. High level steps to map a function f{x) into a piecewise 
polynomial function /(£) in a discrete space. 


A. Quantization 

First of all, considering that STPC protocols work with 
integer values, we introduce a discretized version of /(). To 
do so, we assume that the input variable x is represented by 

bits and the function output y with ^y bits. We also find it 
convenient to translate and scale the domain and codomain of 
/() and to represent input and output by using integer numbers 
so that the input ranges in the interval [0, n)nN and the output 
in the interval [0,m) n N, where n = 2^^ and m = 2^“. 
More specifically, we define the normalized and quantized 
input and output variables respectively as i = lqx{x — Xa)\, 
with Qx = and y = \qy{jj - ya)\ with qy = Of 

course, these operations introduce an approximation error 
that can be reduced by increasing lx and ly. In particular ly 
must be chosen large enough so that the step used to quantize 
the output is lower than the desired approximation error, i.e. 
1/qy < e. With the above understanding, the normalized and 
discretized version of /() can be represented by a sequence 
of value pairs {xi,yi), with Xi = i, Vi = 0.. .n — 1 and 
iii = f In other words, for any i 

ranging from 0 to n — 1 we have yi = f{xi). 


D. Hybrid protocols 

The use of hybrid protocols, such as in ||7], fTh), permits to 
efficiently evaluate functionalities for which full-HE or full- 
GC solutions would not be efficient (or even impossible). 
Given that GC and HE rely on different ways of representing 
data, conversion from homomorphic ciphertexts to garbled 
secrets (or vice versa) must be performed by resorting to 
interfacing protocols based on additive blinding. In particular, 
by referring to the protocols described in ini, it is easy to 
derive that the conversion of an f-bit long value from HE to 
GC requires the on-line transmission of additional 2T + lit 
bits, while conversion from GC to HE requires an overhead 
of 2T + {I + T)5t bits, where r is an obfuscation security 
parameter (usually r = 80). 


B. Domain Partitioning and Polynomial Approximation 

Generally speaking, given the degree of the polynomials 
used for the approximation, determining the best way of 
partitioning the domain of /() is not an easy task. For 
this reason, we avoid looking for the optimal segmentation 
of Dom and restrict our analysis to the identification of a 
partition that permits to keep the approximation error below a 
predefined value, while allowing an efficient implementation 
by relying on STPC techniques. In other words, regardless of 
the polynomial degree, given an error e > 1/%, the goal is to 
partition the domain into intervals Sj, each delimited by the 
left and right extremes s* and sJ, wherein the distance between 
f{xi) and the looked-for approximation f{xi) is lower than 
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the given error, i.e., considering the amplihcation factor in the 
output, \f{x^) - f{xi)\ < eqy. 

To determine a partition of Dom with the desired character¬ 
istics, we use a bisection algorithm, inspired by a divide and 
conquer strategy. The partitioning algorithm starts with the 
analysis of the whole segment S = Dom, which is subdivided 
by using the following recursive procedure; 

1) A polynomial approximation of /() in S is computed 
and the maximum error eg = max^j^gg |/(*z) — f(,Xi)\ 
is evaluated; 

2) if eg < CQy the parameters of the interpolating poly¬ 
nomial are stored and the set is marked as a leaf of 
the binary-tree associated to the bisection algorithm, 
otherwise 

a) S is marked as a node of the binary-tree and 
subdivided into 2 subsets each one having size one 
half of S, 

b) the procedure is applied from step 1 to each subset. 
Note that if a good approximation is not found, the bisection 
continues until the leaves of the tree coincide with the single 
points of the discrete domain. In addition to its simplicity, 
the above bisection algorithm ensures that the size of all the 
intervals of the partition is a power of 2, thus enabling an 
efficient GC implementation of the approximation algorithm, 
as shown in Section IV-All 

The depth of the tree and the number of segments of the final 
partition depends on the approximation type. Here we consider 
constant, linear and polynomial approximations and exemplify 
the results by considering the approximation of sinc{x) (see 
Figure [^. We assume that approximation parameters are real¬ 
valued, postponing the discussion about their integer represen¬ 


tation within secure protocols to Section IV 
1) Constant approximation: 

In this case /() is approximated by a constant. Given a 
segment Sj, the maximum approximation error is minimized 
by choosing the approximating constant as 


max^gg f{x) + min^gg f{x) 

c? = - - -^- - -• 

If \cj~f{x)\ < eqy for all the values is Sj, the approxima¬ 
tion is satisfactory, otherwise the segment is subdivided again. 
The main advantage of this approximation is its simplicity. A 
single value is assigned to each leaf of the quad-tree and, once 
the correct leaf has been selected, the approximated value is 
immediately obtained, with no additional operations. 

2) Linear approximation: 

In each segment Sj, /() is approximated through a linear 
function: 

mj{x- Sj) + qj, 

where s* is the left extreme of the segment and rrij and qj are 
chosen so to minimize max^gg^-{|/(x) — mj{x — s^-) — qj\}. 
Due to the difficulty of solving the above minimization, we 
replace it with the search for the regression line that minimizes 
the square error, i.e. we solve min^-gg (/(i)—s*) — 
qj)^- Then the maximum error in the interval is evaluated 
and if it is not lower than the desired error the segment is 
subdivided again. 


3) Continuous linear approximation: 

Assuming that the domain is subdivided into m segments, 
we may desire to enforce the continuity between the linear 
approximations used in consecutive segments, even if this can 
result in a larger number of segments. To do so we need to 
solve the following linear optimization problem: 


I minmaxjg_Do„{|/(i) - mj(i){x - - qj(x)\} 

1 qj+i = rrij {s'j - Sj) + qj Vj = 0 ... m - 2 

( 1 ) 

where j {x) denotes the segment Sj containing x, while Sj and 
Sj are the left and right extremes of the segment Sj. 

We can easily observe that the above optimization problem 
has 2m variables and m — 1 constraints, in addition, if a 
certain partition does not guarantee an error lower than the 
target maximum error, some segments must be split and 
the whole optimization problem has to be solved again. 
To simplify the problem, we decided to impose that the 
approximating function is equal to the original one at the 
extremes of each segment. This is obviously a sub-optimal 
solution, that, however, permits to compute very quickly the 
desired approximation. Under this assumption, the continuous 
linear piecewise approximation is fully defined by the extreme 
points of the m segments, i.e. the to -f 1 couples (so,yo) 
is{,y{) ... (sL-i-yL-i) where yj and yj are 

the values that the quantized function assumes in the extreme 
points of the segment Sj and, again, (sj,yp = yj+i). 

With these assumptions, in each segment j, we have mj = 

IFTir and q^ - Pj. 

J J 

4) Polynomial approximation: 

In order to improve the accuracy of the approximation within 
each interval and consequently reduce the number of seg¬ 
ments required to obtain a given precision, we can use a 
polynomial approximation. Without imposing any continuity 
constraint across the intervals, and given the polynomial 
degree d, the coefficients of the polynomial that minimizes 
maxx(zs.{\f{x) - Y.i=o°‘jd^ ~ ^ generic inter¬ 

val j can be obtained by searching the coefficients of the 
regression line that better approximates the set of points 
{(l, ..., in a space of d + 2 di¬ 

mensions. If the approximation error given by the polynomial 
is not lower than the threshold, the interval is split again and 
a new polynomial is searched in the new partition. 


5) Continuous polynomial approximation: 

If we require that the approximation is continuous on the 
border of different segments, we can impose that the values 
assumed by the polynomial on the extreme points of the seg¬ 
ments are equal to those assumed by the to-be-approximated 
function. The polynomial of degree d approximating /() in a 
section Sj, can then be obtained by the polynomial of degree 
d — 1 approximating the function. 

Starting from a linear approximation in the interval obtained 
as described in Section |III-B3[ a quadratic approximation 
function can be obtained as fj{x) — bj^ -I- bj^i{x — Sj) + 
bj, 2 {x — Sj){x — sp, where bj^ = qj and bj^i = mj. The 
approximation error inside the interval depends on the value 
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(a) Original 


(b) Continuous Linear Approximation 


(c) Continuous Quadratic Approximation 




Figure 3. Approximation of sinc(x) in [0,10) with different classes of interpolating functions. 


of 2 and can be expressed as 

£2(5, 2) = 

= f{x) - bjfi - bj^i{x - s' ) - bj^2{x - Sj){x - s^) = 

where ei{x) is the approximation error introduced by the 
linear approximation. To obtain 2 , the mean square error 
LsgS £ 2 (^) minimized by imposing that its derivative 
with respect to 6 ^ 2 is equal to 0. Doing so, we obtain 

Being interested to obtain an approximation of the form 
J2i=o<^jAi-Sj)\ we find the following coefficients: aj^ = 
bj,o, aj,! = bj.i — aj^2{sj — Sj) ™tl 0^,2 = P,2- 

Given the approximation of degree 2, we can obtain the 
approximation of degree 3 similarly, as /pi) = fjiA + 
3 (i —sp(i —sp(i —C 3 ), where C 3 is a point of the interval 
(possibly one of the extreme points), whose selection can be 
carried out by means of numerical analysis By iterating 
the above operation, we can obtain an approximation of degree 
d, that can be written in the form ~ 

6) Other solutions: 

Other techniques can be used to approximate /() within 
the segments Sj. For instance, by using a spline interpo¬ 
lation of degree d we would ensure the continuity of the 
piecewise approximation and its first d — 1 derivatives llTSl . 
however the spline approximation does not depend on the 
values that the function assumes in the non-extreme points 
of the segment. This raises some problems with the overall 
interpolation procedure. Suppose, for instance that at a certain 
point, with the domain split into N segments, the maximum 
approximation error exceeds the desired maxim value. With 
a spline approximation is not easy to decide which segment 


should be further split, since even by splitting the segments 
where the error exceeds the threshold, it is possible that the 
new spline approximation exceeds the maximum error in some 
of the segments that have not been split. 

Alternatively, we could use a Taylor approximation centered 
in the middle of each interval. Unluckily, this solution provides 
an excellent approximation close to the center of the intervals, 
but deteriorates rapidly towards the extreme points. To solve 
the problem, polynomials of large degree should be used, 
otherwise we risk to split the domain into too many small 
intervals, making the solution inefficient. 

As an additional possibility, we mention the usage of a neu¬ 
ral networks, whose implementation in the encrypted domain 
has been proposed in m. In fact the multi-layer perceptron 
(MLP) is a universal function approximator, as proven by the 
universal approximation theorem 1^ . However, the proof is 
not constructive regarding the number of neurons required or 
the settings of the weights. Moreover each neuron involves 
several products, which can not be implemented efficiently in 
the encrypted domain, and an activation function, whose best 
secure implementation so far is based on a linear piecewise 
approximation. 

IV. Parameter representation 

In this section we evaluate the impact that the number of bits 
used to represent the parameters of the approximating function 
has on the approximation accuracy. 

As we said, SMPC works with integer numbers, however the 
coefficients of the polynomials derived in the previous section 
are real numbers and need to be approximated with integer 
numbers. A possibility would be to simply approximate them 
by using the formula J2i=oAjAA ~ AY' a choice, 

however, may result in an exceedingly large approximation 
error. To alleviate this problem, we quantize the approximation 
coefficients by multiplying them by a factor k and dividing the 
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final approximation result by the same value. We underline 
that by imposing that fc is a power of 2, we can implement 
the division very easily by discarding the least signihcant 
bits of the result. We also argue that a different number of bits 
(a different precision) is needed to represent the coefficients of 
different orders in the polynomial (intuitively more bits will be 
needed for higher orders). To allow for such a differentiation 
we introduce different multipliers for different coefficients, 
let us denote them by h = 2^''- < k, where ik,i is the 
number of bits used to represent the fractional part of z-th 
order coefficients, obviously such parameters have to be scaled 
during the computation so that all the parameters are amplihed 
by the same factor k. 

At this point we need to understand how many bits are 
needed to represent the coefficients. Since the coefficients can 
be negative, we need one bit for the sign. The number of 
bits used to represent the magnitude can change with the 
coefficient degree, but its must be the same for each interval. 
The magnitude of the parameters of degree i depends first of 
all on the biggest value assumed by for all the sections Sj, 
identified as = riog 2 (maxj{aj^i})]. In such a way a dif¬ 
ferent bitsize is used for coefficients corresponding to different 
degrees in the polynomial. Then the magnitude depends on the 
quantization factor ki. This is equal to understand how many 
bits of the fractional part of the parameters aj^i are represented 
for each degree i. Considering that the largest quantizer for 
the parameters is kd = k, we can rewrite the approximating 
function by using the notation introduced so far a^ 

Eto 2^'=-^'=- lhajd] {x - s\y 
k J , 

allowing us to evaluate products involving values represented 
with smaller bit-lengths and then multiplying the results by 
the factor k/ki = 2^'=“^'= ’ by simply concatenating a proper 
number of zeroes. While kittj^i can be represented as an integer 
number by rounding it in the plain domain, the division in Q 
is computed discarding the log 2 k = ik less significant bits of 
the sum result, allowing only to truncate the value. 

To determine i, we compute the difference between the 
quantized function f{x) and the approximating function f{x). 
Considering that the analysis is the same for each segment j, 
in the following we omit such an index for simplicity. The 
approximation error can be written as; 


f{x) = 


fix) - fix) = 

= fix) - 


Ei=o2^'‘ ^’‘'^ikiai + ei){x - s'^)^ 


et = 


= fix) -'^a.iix - s'^)^ - ^ ^ ^ I , (5) 


i=0 


v.i=0 


ki 


fix) — Ef=o®*(® ~ the approximation error, while 

Ef=o ^ ^ additional representation error that 

we want to keep as small as possible. Since et < I (equiv¬ 
alent to the codomain quantization error), we impose that 
Ef=o ^ lower than one, so that the represen¬ 

tation error is lower than twice the codomain quantization 
step. Recalling that each interval contains a number of points 
that is a power of 2, the difference between the input and 
the left extreme of the segment the input belongs to is 
i — s* < 2^” = maxj jsJ — s*}. Considering that \ei\ < 1/2, 
we obtain 

eiix - s^y 



i=o * 


(6) 


Allowing an error lower than l/(d -b 1) in each term of the 
sum ensures that the total error is lower than 1, yielding fc, > 

(d + i)2^^--y 

The bitsize of the fractional part of the z-th coefficient then 
is £k,i = i(-v + riog 2 (d -b 1)] — 1 and the bitsize of the 
amplification factor k can be obtained by letting k = kd- 
The total number of bits needed to represent all the pa¬ 
rameters of the approximation Vz and s*) then is 

= '^x + Ei=o(^“b + ^k,i + !)■ 


V. STPC IMPLEMENTATIONS 
As already outlined in Section [I^ the main tools for STPC 
are HE and GC. Moreover, it is also possible to develop 
hybrid protocols by composing several subprotocols, each one 
implemented by relying on the most suitable approach. 

In the following, we present two solutions to implement the 
approximation algorithm described in the previous sections 
in a STPC setting. The two solutions rely, respectively, on 
a full-GC implementation and a new hybrid solution. We 
excluded a priori the development of a protocol entirely based 
on HE since the protocols introduced in Section need the 
bit decomposition of the input, for which an efficient HE 
implementation does not exist. 

We hrst describe the two protocols and then we analyze 


their complexity in Section VI to evaluate which of the two 


is more efficient for different setups. We assume that the 
input X is available to Alice in form of garbled secrets, while 
the full-GC and hybrid protocols represent the output value 
y as garbled secrets and as a cyphertext respectively. If a 
different representation is needed for further computation, the 
conversion algorithm presented in ini must be used. The 
above setting mimics a case in which the function evaluation 
protocol is embedded inside an outer protocol. In addition of 
being used for further computation, the output can also be 
disclosed to Alice as a hnal result, while x cannot be an input 
from Alice or Bob, otherwise, being the function known, they 
could directly input fix) to the subsequent computation. 


A. Full-GC solution 


where 0 < < 1 is the truncation error, while IgI < 

1/2 is the error introduced to round the z-th coefficient. 

'The formula refers to the j-th segment for simplicity. 


Given an approximating function having the form defined 
in the previous section, its evaluation in correspondence of an 
input X can be implemented in three steps; i) identihcation 
of the segment x belongs to; ii) retrieval of the parameters 
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determining the approximating function in the identihed seg¬ 
ment; iii) use of the retrieved parameters to compute f{x). In 
this section, we present a protocol entirely based on GC to 
implement the above steps. 

1) Interval detection: The correct subset is identihed 
through a classihcation tree. Thanks to the use of a bisection 
algorithm we can associate a binary tree to the partition, 
where we can reach the leaf associated to the segment the 
input belongs to by traversing the tree from the root node 
and by choosing the left or right child according to the most 
signihcant bit of the input, and repeating the operation for 
each node according to the next bits, until a leaf is reached, 
as shown in Figure 

The idea behind the GC protocol is to build a binary circuit 
that, given the input, returns as many output bits as the number 
of leaves in the tree and where only the bit corresponding to 
the leaf associated to the correct segment is equal to 1. 

Let us assume that the binary tree has N leaves (and hence 
N — 1 nodes). An input x belongs to the j-th subset Sj 
(associated to the j-th leaf of the tree) if p is the depth of 
the leaf in the tree and the p most signihcant bits of x and the 
left extreme are equal. These p bits are associated to the 
direct path from the root to the leaf associated to segment Sj, 
i.e. the sequence of bits encountered on the branches when 
traveling from the root to the leaf (Figure [^. 

The above condition can be verihed through a binary circuit 
computing = 1, where A indicates the 

AND operator, © the XOR operator, “ the negation and 
identihes the Ath bit of x (i^o) is the least signihcant bit). 



Figure 4. Example of binary tree associated to a domain partition. 

Being the path from the root to each leaf known, 
can be simply evaluated as if 

= 0 and as otherwise, for each i. The AND 

gates common to different paths can be evaluated only once. 
During the tree design, each time a node is added, except for 
the root node, two AND gates are added: one having as inputs 
the upper path and the negation of the actual bit of x, the other 
with the upper path and the actual bit of x. To decrease the 
total number of gates the hrst AND gate and the NOT gate 
between the input bit and the AND can be merged together 
and replaced by a gate with the following truth table 


1st input 

2nd input 

output 

0 

0 

0 

0 

1 

0 

1 

0 

1 

1 

1 

0 


The hnal circuit implementing the bisection algorithm is 
composed by only 2(7V — 2) non-XOR gates (an example 
is shown in Figure where the circuit implementing the 
bisection algorithm depicted in hgure is shown), signih- 
cantly improving the circuit used in the protocol described 
in ll23l . where segment selection was achieved through A^ — 1 
comparison circuits, and required [N — non-XOR gates. 
We point out that such an improvement was possible due to 
the use of a bisection algorithm during the construction of the 
approximating function. 



Figure 5. Circuit implementing the subset identification associated to the 
binary tree of Figure 


k In-2 In-i 



Figure 6. Circuit for parameters selection and its optimizations (blue inputs 
are public). 

2) Parameters selection: The circuit for parameters selec¬ 
tion is entirely composed by XOR gates. 

Given the concatenation pi of the approximation parameters 
associated to each segment i, and the output of the associated 
leaf li, and by remembering that if x belongs to the segment 
Sj only Ij = 1, while the outputs associated to the other leaves 
are null, the parameters pj of the segment Sj can be obtained 

Pj = hPi- Considering that only IjPj ^ 0, the same 

















































result can be obtained by evaluating Finally we 

recall that the to-be-approximated function is public, then the 
domain partition and the parameters of the various segments 
are not secret, hence the AND between the output of any leaf 
i and a generic bit b of the associated parameters pi can be 
expressed as 


Pi{b) 


0 if Pi{b) = 0 

li otherwise. 


(7) 


When liPiijj) = 0, the XOR operation is implemented by 
simply propagating the other input (even if XOR gates have 
negligible complexity, in this way we further reduce the circuit 
complexity). An overall sketch of the circuit for parameters 
selection is given in figure Figure 

We conclude by stressing out again that non-XOR gates are 
not used in the circuit and that less than {N —l)^p XOR gates 
compose the circuit. This marks a significant improvement 
with respect to the solution proposed in ||23| where — 1 
multiplexers are used, for a total of {N — l)lp non-XOR gates. 

3) Approximation: During the last step, the approximation 
coefficients obtained in the previous phase are used to compute 
the approximated value. In the case of constant approximation 
no further operation is needed, since the approximation coin¬ 
cides with the parameters obtained in the second step. This is 
not the case for linear and polynomial approximations. Let us 
assume, then, that a polynomial of degree d is used for the 
approximation, and let us indicate the parameters determining 
the exact form of the approximating polynomial with pj, while 
the secrets relative to x are available since the very beginning 
of the protocol. 

First of all the difference S between the input x and the 
left extreme sj of the segment Sj containing x is computed 
by a subtraction circuit composed by non-XOR gates 
im. The sign of the output is discarded, since we know 
that the difference is always positive. The direct evaluation 
of the polynomial [fcoaj.ol + 2^'=“^'='" \ kiaj^i\5'' 

(extension of the solution proposed in UTij to polynomial 
of degree d) would require d — 1 products with increasing 
complexity to compute all the powers of S and then other d 
products to multiply them with the corresponding coefficients. 
This would require a circuit composed by 0{d^i'^) non- 
XOR gates. In fact <5® is represented by i£y bits, while the 
corresponding coefficient by £y + i£v bits, hence their product 
needs 0{i^£'^) non-XOR gates. Summing the non-XOR gates 
of the d products, we obtain a circuit composed by 0{d^£^) 
non-XOR gates. 

A simpler solution can be obtained by evaluating the ap¬ 
proximating polynomial through a sequence of d blocks, as 
shown in Figure |7] In practice the polynomial is evaluated as 
Aq + x{Ai + x{A 2 -I- a;(... -I- x{Ad-i + xAd) ■..))), where 
Ai = \ kiasd'\ - By setting vg = [kas^d] evaluating 

d linear expressions 


Vi = Ad-i -f 5vi-i, 


(one for each block) with i ranging from 1 to d, where vt is 
the output of the i-th block used as input to the next one. 

In the first product of the series, we compute the product 
between vq, represented with £y bits, and the corresponding 


X Vo = \kas,d\ 



f(i) = Vd 


Figure 7. Full-GC implementation of the approximation part. 


coefficient, represented with d£v + £y bits, hence the product 
needs 2{d£y +£y)£v — {d£v +£y) non-XOR gates and returns 
a value that is represented with {d+ l)£v +£y bits. The result 
is used in an ADDER together with the scaled coefficient, 
whose £y least significant bits are 0, hence an ADDER having 
{d + l)£v + £y — £v = d£y + £y non-XOR gates is used and 
its output is represented with (d + l)£v + £y bits. In a generic 
step i, the product is composed by 2((d + i — l)f„ + £y)£v — 
{{d+i — i)£v+£y) non-XOR gates, its output is represented by 
{d + i)£v+£y bits and hence the ADDER should be composed 
by {d + i)£y +£y non-XOR gates, but considering that the i£y 
least significant bits of the parameter Oi are null, only d£v +£y 
non-XOR gates are needed. In total the number of non-XOR 
gates composing the circuit computing the approximation is 

- d£l + 2d£Jy - l/2d‘^£y + l/2d£y, ( 8 ) 

for a complexity that is reduced to 0{d^£y). 

B. Hybrid solution 

The second protocol that we developed relies on a hybrid 
combination of GC and additively homomorphic encryption. 
The rational behind it is that while the first two steps of the 
protocol are more easily carried out by resorting to GC, for 
the last one the use of HE could be advantageous. In fact, 
an HE implementation of the interval detection requires the 
encryption of single bits, resulting in a high expansion factor, 
and the implementation of boolean gates through more ex¬ 
pensive products and the number of exponentiations between 
cyphertexts, while parameter section is evaluated essentially 
for free by using GC and hence any HE implementation would 
have a higher complexity. 

A hybrid approach had already been used in 12^ . where the 
input X is used to compute the linear approximation within 
all the segments through HE and then the bits obtained by 
comparing the input with the left extremes of the intervals 
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are obfuscated and used to select the correct approximation, 
by using an interactive HE protocol. Such a protocol can be 
easily extended to a generic polynomial approximation. 

Here we propose to use an approach similar to the one 
presented in Section V-A2 we first select the parameters with 
negligible complexity and then pass them to the multipliers 
rather then computing all the multiplications and then select 
the correct one, avoiding — 1 multiplexers and the trans¬ 
mission of 0{N) cyphertexts. Hence, in contrast to E^ , we 
introduce a new hybrid protocol for which the complexity 
of the homomorphic part does not depend on the number of 
intervals the domain is partitioned into, but only on the degree 
of the polynomial. 

To describe the protocol, we assume that for the GC part 
Bob acts as the garbler and Alice as the evaluator, while in 
the HE part, Alice owns the private key while the public key 
is obviously available to Bob as well. We also assume that 
X is available to Alice through a previous computation in the 
form of garbled secrets. As we said, the segment Sj with x 
and the corresponding approximation parameters are obtained 
by using GC as detailed in Section |V-A1 and Section V-A2 


At this point, the parameters i] (in the next we avoid 
the round operator) are obfuscated by adding to them a value 


„(“) 


randomly generated by Bob. 


Similarly to Section |V-A3| we assume that each parameter 
kiQs^i is represented with 1 + + iiy + L 1 °S 2 ('^ + 1)J 

hence the relative obfuscation value is 1 + + i£v +t bits 

long. The difference S between x and is computed by using 
a subtraction circuit and the result is also obfuscated by adding 
a random number r provided by Bob as an additional input of 
the GC and represented with iy + t bits. The difference and 
the obfuscated parameters are sent to Alice. 

Alice computes all the powers of i5 + r from 1 to d, encrypts 
them and sends the cyphertexts to Bob. Knowing r. Bob can 
remove the obfuscation by computing 


1^1 = [(5 + r| |-r| 

[<51 = [(5 + r)l[l-2l-rl 
[<51 = [(5 + r)l[5l-3l,5r3’-l-rl 


To evaluate the polynomial. Bob needs again to interact with 
Alice, to compute the product between the powers of S and 
the corresponding coefficients. Hence Bob introduces a new 
obfuscation in each power <5\ i = 2,... ,d and sends the 
value to Alice. In this way Alice, after decryption, obtains all 
the powers of S obfuscated by a value that Bob knows exactly 
(Alice already has <5 obfuscated by = r). 

Alice computes the polynomial by using the obfuscated 
powers and parameters obtaining: 



that is equal to the polynomial evaluated in x obfuscated by 
the value 


^ (“) I I ('5) (i. I (“)t n<^\ 

+Z^TrG V(^ias,i+1 1, (10) 

^0 . T ^0 . T 

1—1 ^ 




i=l 


Table I 

Short term security parameters Gil- 


Content 

Name 

Bitsize 

Homomorphic security parameter 

T 

1024 

Garbled circuit security parameter 

t 

80 

Obfuscation parameter for HE to GC conversion 

T 

80 


where we recall that = 2^'= 

Alice encrypts yob and all the quantities —^{kiUs^i + 
and sends them to Bob that finally computes under encryption 


(a) 


= M[-^C1 Ill'll + 


(“)\ 




( 11 ) 


It is important to underline that when d — 1, the first part 
of the protocol is not needed, because Bob already knows the 
obfuscation affecting the difference, hence the protocol starts 
directly with the computation of yob- 

In contrast to the full-GC solution, the hybrid protocol 
outputs the value amplified by a factor k and enriched with 
many fractional bits. If it is necessary to represent the final 
value with only iy bits for further computation, we can resort 
to one of the interactive protocols proposed in m, ua. 

VI. Protocols comparison 

In this section we evaluate the efficiency of the two proto¬ 
cols described so far, by considering both communication and 
computational complexity. We also provide the runtime of a 
Java implementation of the protocols. 

As shown in Section |IVj the parameters associated to higher 
degree approximations require more bits for their represen¬ 
tation. Hence the use of polynomials with a large degree 
is convenient only if it permits to significantly decrease the 
number of segments the domain is partitioned into. Eor this 
reason the results strongly depend on the function to be 
approximated. Generally speaking, the most efficient solution 
must be decided by considering the specific applications and 
the available hardware/software. Here, we exemplify the kind 
of analysis that the designer should carry out, by considering 
the approximation of the function sinc{x) = in the 

interval [0,10). 

Eor sake of simplicity, we assume that lx = = li hence 

the parameters influencing the complexity are the bitlength 
I, the polynomial degree d and the number of segments N 
used to partition the function domain. In addition, we must 
consider the security parameters involved in the protocols and 
summarized in Table |I] 

Eirst of all we investigate the effect that the polynomial 
degree has on the number of segments of the partition. Given 
the bitlength i, the function is first scaled and translated to 
fit the domain [0,2^) and the codomain [0,2^). We report in 
Table |I^ the number of segments obtained by using constant, 
linear, quadratic and cubic approximation as a function of the 
bitlength £ and the target approximation error e (computed as 
error /max {y)). We can easily observe that by using a cubic 
approximation (or even higher degrees) the number of seg¬ 
ments continues to decrease, but no significant improvements 
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Table II 

Number of segments required to approximate sinc(x) as a 

FUNCTION OF THE BITLENGTH i AND THE APPROXIMATION ERROR e 
(MISSING VALUES INDICATE THAT THE GIVEN ERROR CANNOT BE 
REACHED WITH THE GIVEN BITLENGTH). 


Table III 

Communication complexity of the online phase (in bytes) of 
THE FULL-GC approximation PROTOCOL APPLIED TO sinc(x) AS A 
FUNCTION OF i AND e (MISSING VALUES MEAN THAT THE GIVEN ERROR 
CANNOT BE REACHED WITH THE GIVEN BITLENGTH). 


(a) Constant approximation 


l\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

13 

28 

92 

127 



12 

15 

33 

171 

313 

1158 

1998 

16 

15 

33 

182 

361 

1724 

3408 

20 

15 

35 

184 

365 

1743 

3482 

(b) Linear approximation 

£\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

8 

17 

36 

49 



12 

7 

17 

38 

53 

124 

214 

16 

7 

17 

38 

53 

120 

166 

20 

7 

17 

38 

53 

119 

162 

(c) Quadratic approximation 

^\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

5 

9 

16 

22 



12 

5 

10 

17 

21 

35 

66 

16 

6 

10 

17 

21 

35 

43 

20 

9 

10 

17 

21 

35 

42 

(c) Cubic approximation 

l.\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

5 

7 

16 

23 



12 

5 

7 

16 

21 

34 

52 

16 

5 

7 

16 

21 

35 

37 

20 

5 

10 

16 

21 

35 

37 


are obtained, hence the cubic solution will not be considered 
any further. Given the number of segments, we can evaluate the 
communication complexity, the computational complexity and 
the runtime for the three kinds of approximations. We remind 
that with regard to the piecewise constant approximation, the 
parameters provided by the hrst two steps of the protocol 
implemented entirely by mens of GC already represent the 
approximation we look for without the need of any further 
computation. For this reason, the use of a Hybrid protocol for 
the piecewise constant approximation is not necessary. 

For sake of brevity continuous approximations are not 
considered, however we underline that their complexities are 
similar to those of the corresponding non continuous approx¬ 
imations. 

A. Communication complexity 

For the GC part we use precomputation only for the oblivi¬ 
ous transfers, so that an OT 2 used to associate a f-bit secret to 
an input bit provided by Alice requires the online transmission 
of ^ 2t bits, while the transmission of the secrets associated 
to the input bits of Bob requires t bits and for each non-XOR 
gate 3f bits are transferred, while no communication is needed 
for the XOR gates. If circuit transmission is precomputed, 
as in the case of two parties knowing in advance that they 
have to evaluate together a given function, the communication 
complexity is reduced to only the online transmission of the 
^ 2t bits relative to Alice’s input. 

1) Full-GC solution: By assuming that the secrets asso¬ 
ciated to X are already available, the protocol requires only 
the transmission of the gates composing the circuit in one 


(a) Constant approximation 


e\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

660 

1560 

5400 

7500 



12 

780 

1860 

10140 

18660 

69360 

119760 

16 

780 

1860 

10800 

21540 

103320 

204360 

20 

780 

1980 

10920 

21780 

104460 

208800 

(b) Linear approximation 

i\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

4320 

3180 

3870 

4650 



12 

9180 

7140 

7710 

8610 

11790 

17190 

16 

16020 

13020 

13350 

14250 

16710 

19470 

20 

24780 

20820 

20910 

21810 

23730 

26310 

(c) Quadratic approximation 

£\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

16620 

22740 

9000 

9720 



12 

39180 

39420 

22560 

23160 

19920 

18120 

16 

71400 

71640 

47520 

48120 

42240 

43140 

20 

91320 

91500 

82080 

82680 

74400 

75240 


communication round. As already shown in Section V-A 


2{N — 2) non-XOR gates are used in the hrst sub-circuit 
and 0 in the second sub-circuit, while the complexity of 
the third part depends on the polynomial degree, for which 
the estimated number of gates is given by equation 
Increasing the polynomial degree decreases the number of 
segments, and hence the number of non-XOR gates in the 
hrst part of the circuit, especially when passing from constant 
to linear approximation with high £ and small e. On the 
other side, the number of non-XOR gates of the third part is 
0{(P£^) and hence its complexity increases. Table 


III 


shows 

the communication complexity of the full-GC protocol in bytes 
according to the results shown in Table [n| where the parameter 
bitlengths have been set according to the analysis carried out 
in Section UV] 


As it can be seen from the tables, constant approximation 
is preferable to linear approximation for small bitlengths 
with large representation error. Quadratic approximation has 
always a communication complexity larger than the linear 
approximation and the results worsen with higher polynomial 
degrees. It is important to underline that the complexity 
depends more on the bitlength than on the precision. In fact, 
a smaller approximation error results in a smaller interval for 
each segment and hence the number of bits representing the 
parameters decreases, thus reducing the complexity of the third 
circuit as well. 


2) Hybrid solution: The hybrid protocol requires 4 com¬ 
munication rounds. In the hrst one, the garbled circuit is 
transmitted, together with the secrets of the random values 
that are used to obfuscate the circuit outputs. As shown 
in Section |V-B| the circuit transmitted in the hrst round 
is composed by the 2(n — 2) non-XOR gates composing 
the tree, the £y non-XOR gates of the subtraction circuit, 
£v +T bits for the adder used to obfuscate the difference and 
£u,i + i£v + Llog2('^ -f IJ) -I- r ~ {i + l)£ + T non-XOR 
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Table IV 

Communication complexity of the online phase (in bytes) of 

THE HYBRID APPROXIMATION PROTOCOL APPLIED TO sinc(x) AS A 
FUNCTION OF i AND £ (MISSING VALUES MEAN THAT THE GIVEN ERROR 
CANNOT BE REACHED WITH THE GIVEN BITLENGTH). 


(a) Linear approximation [2 rounds] 


£\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

11898 

12218 

13288 

14068 



12 

12438 

12818 

14008 

14908 

19058 

24458 

16 

13038 

13418 

14608 

15508 

19418 

22178 

20 

13638 

14018 

15208 

16108 

19958 

22538 

(b) Quadratic approximation [4 rounds] 

£\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

16666 

17346 

17256 

17976 



12 

17626 

17986 

18136 

18736 

19966 

22036 

16 

18686 

18966 

19056 

19656 

20646 

21546 

20 

19306 

19526 

19976 

20576 

21566 

22406 


Table V 

Best protocol for each configuration, according to 

COMMUNICATION COMPLEXITY ANALYSIS (SOLUTION-DEGREE), 
(a) Constant approximation 


^\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

GC-0 

GC-0 

GC-1 

GC-1 



12 

GC-0 

GC-0 

GC-1 

GC-1 

GC-1 

GC-1 

16 

GC-0 

GC-0 

GC-0 

GC-1 

GC-1 

GC-1 

20 

GC-0 

GC-0 

GC-0 

Hyb-1 

Hyb-1 

Hyb-2 


gates for the obfuscation of each parameter kiUi Vi = 0 ... d. 
In the second round d cyphertexts, containing the powers of 
the obfuscated difference between the input value and the left 
extreme of the segment are transmitted, while in the third 
round d — 1 cyphertexts, containing the obfuscated powers, 
are sent back. Finally, in the fourth round, one cyphertext, the 
obfuscated approximation, and the d cyphertexts encrypting 
the obfuscated parameters are sent to Bob. When d = 1, 
the second and third rounds are discarded and the cyphertext 
containing (5-|-r is transmitted during the last round. The com¬ 
munication complexity of the linear and quadratic solutions are 
shown in Table |IV] Table |V] shows the best choice for each 
set of parameters, according to the communication complexity. 
In general, the full-GC solution is preferable, but for a large 
number of bits and high precision the hybrid protocol requires 
to transmit less data. It is interesting to observe that in a case 
(£ = 20 and e = 0.0005) the hybrid quadratic approximation 
protocol provides slightly sbetter results than the others. 

At least for the example discussed in this paper, if the circuit 
can be transmitted offline, hybrid solutions are in general not 
advantageous, and the choice among the different full-GC 
solutions depends only on computational complexity. 

B. Computational complexity 

As shown in Section the computational complexity 
depends on the number of Hash functions for the GC part of 
the protocols and the number of exponentiations for the HE 
part, while the XOR between secrets and products between 
cyphertexts have a negligible complexity. We consider that 
garbling is performed online, otherwise the complexity is 
reduced only to the online evaluation of the circuit (performed 
by Alice). 


Table VI 

Average computational complexity of the online phase 

EXPRESSED as NUMBER OF HASH FUNCTIONS (ROUNDED TO THE 
CLOSEST INTEGER) COMPUTED BY ALICE AND BOB IN THE FULL-GC 
APPROXIMATION PROTOCOL APPLIED TO sinc{x). THE COMPLEXITY IS 
EXPRESSED AS A FUNCTION OF £ AND £ (MISSING VALUES MEAN THAT 
THE GIVEN ERROR CANNOT BE REACHED WITH THE GIVEN BITLENGTH). 


(a) Constant approximation 


A£ 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

83 

195 

675 

938 



12 

98 

233 

1268 

2333 

8670 

14970 

16 

98 

233 

1350 

2693 

12915 

25545 

20 

98 

248 

1365 

2723 

13058 

26100 

(b) Linear approximation 

A£ 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

540 

398 

484 

581 



12 

1148 

893 

964 

1076 

1474 

2149 

16 

2003 

1628 

1669 

1781 

2089 

2434 

20 

3098 

2603 

2614 

2726 

2966 

3289 

(c) Quadratic approximation 

iV 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

2078 

2843 

1125 

1215 



12 

4898 

4928 

2820 

2895 

2490 

2265 

16 

8925 

8955 

5940 

6015 

5280 

5393 

20 

11415 

11438 

10260 

10335 

9300 

9405 


1 ) Full-GC solution: As already said, the interval detection 
circuit consists of 2(7V —2) non-XOR gates, while the number 
of non-XOR gates composing the interpolation circuit is given 
by equation (|^. Table |VT] shows the total computational 
complexity of the full-GC solution when constant, linear or 
quadratic approximation is used. As for the communication 
complexity, the constant approximation is preferable to the 
linear approximation for small bit-lengths and large represen¬ 
tation errors, while the quadratic approximation exhibits the 
worst performance. 

2) Hybrid solution: The GC part takes care to detect the 
correct interval through the selection binary tree, retrieve the 
parameters, compute the difference between x and the left ex¬ 
treme of the segment and finally obfuscate the parameters and 
the difference. In total 3(2 ^ (N 

hash functions are evaluated by Bob and one quarter of them, 
on the average, by Alice. After receiving the obfuscated values, 
Alice encrypts the powers of the difference (d exponentia¬ 
tions), Bob removes the obfuscation exponentiations), 

then Alice performs d—1 decryptions (d—1 exponentiations), 
encrypts the parameters (c?-|-l exponentiations) and finally Bob 
removes the obfuscation affecting the approximation value 
with 2d exponentiations. In the linear implementation, the 
exponentiations required to remove the obfuscation 
from the powers and the following d—1 decryptions are not 
needed. Table |Vli] shows the complexity of the hybrid protocol 
when linear and quadratic approximations are used. We can 
observe that many non-XOR gates are usually replaced by a 
hxed number of exponentiations. In some cases, especially 
with small i, the GC part of the hybrid protocol needs 
more Hashes than the corresponding full-GC solution, because 
obfuscation needs many bits. 

Comparing the full-GC and hybrid solutions from a com¬ 
putational point of view is problematic, since this requires 
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Table VII 

Average computational complexity of the online phase expressed as number of hashes (H) and exponentiations (E) (rounded to 
THE closest integer) FOR BOTH ALICE AND BOB IN THE HYBRID APPROXIMATION PROTOCOL APPLIED TO sinc(x). COMPLEXITY IS EXPRESSED AS A 
FUNCTION OF g AND e (MISSING VALUES MEAN THAT THE GIVEN ERROR CANNOT BE REACHED WITH THE GIVEN BITLENGTH). 


(a) Linear approximation 


Ae 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

1061iT+5E 

1 106H+5E 

1241J7+5E 

1339T7+5E 



12 

1114iT+5E 

1166f/+5-E 

m6H+5E 

U29H+5E 

195077+5E 

262577+5E 

16 

1174iT+5E 

n26H+5E 

1376J7+5E 

1489T7+5E 

198077+5E 

232577+5E 

20 

1234iT+5E 

m6H+5E 

1436J7+5E 

1549H+5E 

203377+5E 

235577+5E 

(b) Quadratic approximation 


0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

1433iT+llE 

1504ff+llE 

15T9iT+llE 

1609J7+11E 



12 

1526iT+llE 

\56&H+11E 

1609T7+11B 

168477+11£ 

184577+1 IE 

211177+llE 

16 

1631iT+llE 

\665H+11E 

1699H+UE 

177477+1 IE 

190577+1 IE 

201877+llE 

20 

1699 H+UE 

n25H+llE 

1789T7+11E 

186477+1 IE 

199577+1 IE 

210077+1 IE 


to compare the complexity of Hash functions and exponen¬ 
tiations, which ultimately depends on the architecture of the 
platform used to implement the protocols. In the next section, 
we move one step in this direction by comparing the runtime 
of two specific implementations of the protocols. 


C. Runtimes 

We measured the runtimes required by Java implemen¬ 
tations of the protocols on a desktop PC having an AMD 
Phenom II X4 p40 processor at 3.00 GHz and 6.00 GB of 
RAM. The results are reported in Table VIII According to 
such a table, GC solutions are preferable to Hybrid ones. 
However all the tests have been performed by running both the 
evaluator and the garbler in the same PC, so that the runtimes 
are more related to computational complexity rather than to 
communication time. Table IX shows the preferable solution 
for various bitlength-precision setups. 


VII. Conclusion 

Given a function /() and an interval belonging to its 
domain, we considered the problem of approximating /() by 
means of a piecewise polynomial function /() in a STPC 
setting. Constant, linear and quadratic approximations have 
been considered. Regardless of the polynomial degree (except 
for the constant approximation), two possible protocols have 
been proposed. The hrst one relies completely on Garbled 
Circuit theory, while the other adopyts a hybrid solution where 
GC and Homomorphic Encryption are used together. 

The main advantage of the full-GC implementation is the 
use of only one cryptographic primitive. If the function /() 
is part of a protocol, where the previous and subsequent 
functionalities are also implemented by using GC’s, the in¬ 
tegration of the sub-protocols that approximate /() would 
be very easy. The evaluation of the piecewise approximation 
is the heaviest part of the GC protocol and its complexity 
signihcantly increases with the degree of the polynomial. The 
hybrid solution permits to evaluate the hnal part by using HE, 
reducing the complexity when polynomial with high degrees 
are used. 

Communication and computational complexity have been 
estimated for a sample function. Runtimes have been mea¬ 
sured as well. Observing runtimes, the full-GC solutions are 


Table VIII 

Average Garbler/Evaluator Online Runtimes (millisec) 


(a) Full-GC Constant approximation 


Ae 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

0.6/0.3 

1.0/0.4 

2.6/1.2 

3.6/1.7 



12 

0.5/0.3 

0.9/0.4 

4.6/2.2 

65/7.6 

96/37 

121/64 

16 

0.5/0.2 

1.0/0.4 

4.8/2.2 

87/10 

131/57 

180/107 

20 

0.7/0.2 

1.1/0.4 

5.8/2.8 

99/10 

145/59 

200/113 

(b) Full-GC Linear approximation 

^\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 




T.0/0.9 

t.'Ulo 



12 

5.2/2.3 

4.2/2.1 

4.2/1.9 

4.6/2.1 

52/3.0 

56/6.3 

16 

72/6.3 

67/4.5 

70/4.3 

70/4.7 

72/5.9 

74/8.3 

20 

93/12 

95/10 

90/10.0 

92/9.7 

95/12 

92/12 

(c) Full-GC Quadratic approximation 

£\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

31/2.9 

30/2.9 

3.4/1.5 

3.6/1.4 



12 

52/11 

53/11 

48/5.8 

47/5.8 

49/4.7 

48/4.4 

16 

81/23 

82/23 

77/16 

76/15 

71/13 

75/14 

20 

107/31 

108/31 

102/28 

103/28 

100/26 

99/25 

(d) Hybrid Linear approximation 

i\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

g— 

486/310 

479/306 

500/323 

496/322 



12 

516/321 

511/318 

520/327 

517/328 

520/327 

526/327 

16 

536/327 

541/327 

536/324 

533/321 

542/329 

541/330 

20 

554/325 

553/319 

553/321 

553/328 

557/332 

561/328 

(e) Hybrid Quadratic approximation 

A^ 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

1155/642 

1161/644 

1169/645 

1163/644 



12 

1187/643 

1187/659 

1195/655 

1192/660 

1182/648 

1176/645 

16 

1197/650 

1189/644 

1182/639 

1194/645 

1197/651 

1198/653 

20 

1226/660 

1226/656 

1227/660 

1205/643 

1219/650 

1223/643 


Table IX 

Best protocol for each conhouration (protocol - polynomial 

DEGREE). 


(a) Constant approximation 


e\e 

0.1 

0.05 

0.01 

0.005 

0.001 

0.0005 

8 

GC-0 

GC-0 

GC-1 

GC-1 



12 

GC-0 

GC-0 

GC-1 

GC-1 

GC-2 

GC-2 

16 

GC-0 

GC-0 

GC-0 

GC-1 

GC-1 

GC-1 

20 

GC-0 

GC-0 

GC-0 

GC-1 

GC-1 

GC-1 


preferable to Hybrid solutions and we highlight that generally 
a function approximation can be run in less than 100 msec. 
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Anyway, from a communication point of view, with high 
bitlengths and high precision, hybrid solutions are preferable 
to full-GC solutions, becoming more efficient in scenarios 
with low bandwidth or when the result is used following HE- 
based STPC protocols. Constant or linear approximation can 
be generally used, while we rarely observed an improvement 
from the use of quadratic approximation, making the use of 
higher polynomial degrees unpractical. 

Thanks to function approximation, many secure protocols 
can be optimized or even implemented for the first time. This 
is the case, for instance, of neural networks with smoother ac¬ 
tivation functions. Moreover a future extension to multivariate 
functions can be used to approximate an entire secure protocol 
performing a computation on several inputs made available by 
different parties. 
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